Posted February 10, 2016
This is the second blog in a three-part series by our Chief Technology Officer, Allan Thomson. In today’s post, he discusses the need for Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. in reducing your organization’s risk profile.
In the previous blog, we discussed the various artifacts of Threat Intelligence and how each aspect may help reduce risk in your security profile. We discussed how important it is to choose the right focus or scope where Threat Intelligence (TI) may be leveraged in your environment. Choosing an appropriate scope ensures improved return on investment for your TI efforts.
In particular, we mentioned this important lesson:
“Be clear on what scope you want to manage security risk for”
If the scope is too large (i.e. the fire hose), then it may be impossible to provide effective security due to the large amount of information available from an ever-increasing global Internet. If the scope is ill defined or too narrow, then you may miss relevant information pertinent to your business needs. The key to avoiding having to drink from the fire hose and still be effective is focusing the scope for TI.
For the sake of brevity we will refer to this as TI Scope. TI Scope may sometimes be considered the same as attack surface. We believe that is it not the same. Attack surface refers to all assets of your environment that need to be secured to ensure the threats are not successful. Attack surface typically focuses on systems that interact with the global Internet or systems that may come into contact with insecure assets.
TI Scope is broader than attack surface. TI Scope refers to not only your own Internet presence but also any direct or indirect relationships you may have with other global Internet presences. It includes the network devices, the applications and the users of those applications for all business needs.
To help define TI Scope, we will describe three categories of TI Scope that you need to consider.
The first category is the set of Owned Assets. This includes employees, known applications used by enterprises, network infrastructure, web servers, file servers, mail servers, VPN servers, load balancers, owned CIDRs, owned ASNs, owned domains, etc. A good definition of what would be considered Owned Assets would be represented by the IT systems defined here.
Put simply, any network, application or user that is connected to the global Internet that is directly owned or part of your organization is part of your TI Scope.
“Understanding and defining your Owned Assets is critical to leveraging the benefits of TI in your environment.”
- All IPv4 and IPv6 Internet addresses (e.g. 126.96.36.199)
- All Fully Qualified Domains (e.g. www.mycompany.com)
- All owned CIDRs (e.g. 188.8.131.52/24)
- All owned ASNs (e.g. 1456)
- All applications that interact on the Global Internet (e.g. http, smtp, ftp)
- All users (e.g firstname.lastname@example.org)
Depending on how large your organization is, the list of Owned Assets is potentially very large. We recommend that you group related assets based on business functions (e.g., finance, corporate, engineering, etc) and priority (e.g. core, backup, standup, etc.) into Collections. This will help focus on relevant scope.
Once you’ve established your Owned Assets, ensure that your TI provides as much information across all of these assets. TI vendors provide differing levels of information, with even broader choices of network coverage. Choose TI data feeds that are known to provide useful information for your assets.
The second category for TI Scope defines all Internet users, applications and network systems that you have a known relationship to but may not directly own or have control over. We will call this category Related Assets. This includes outsourced business services and their associated Internet connections, peer ASNs, service provider domains and infrastructure.
Similar to Owned Assets, capture the following information for all Related Assets:
- All IPv4 and IPv6 Internet addresses that you outsource or rely on for services (e.g. 184.108.40.206)
- All Fully Qualified Domains (e.g., www.payrollprovider.com)
- All CIDRs business partners own or use (e.g., 220.127.116.11/24)
- All business partners ASNs (e.g., 2232)
- All applications that you rely on from business partners (e.g., https://my.payrollprovider.com/portal)
- All out-sourced users (e.g., email@example.com)
As with Owned Assets, it is helpful to group the Related Assets into Collections based on business (e.g. payroll-outsource, cloud-provider, etc.) and priority (e.g., core).
“Understanding and ensuring you have an accurate definition of your Related Assets to leverage TI on is an important priority.”
Both categories of Owned Assets and Related Assets are typically determined by organizations through business practices and change as the organization grows or modifies their Internet presence. Maintaining these lists is important but can typically be periodically revised and updated by analysts or security personnel.
The final category of TI Scope is the most difficult to determine and maintain. This category refers to all users, applications and network infrastructure that interact or could interact with your Owned and Related Assets. This category is calledUnDetermined Scope.
UnDetermined Scope contains any networked system, application or user that has an unknown or non-predetermined relationship to your organization. This scope is potentially huge depending on how large and open your organization interacts with the global Internet.
Typically organizations require visibility to real-time data on applications and usage patterns to understand how their Owned and Related Assets are interacting with UnDetermined Scope. TI on UnDetermined Scope provides a vital information source to threat analysts and security operations personnel. Having both current and historical context on TI Scope greatly improves the determination.
“Understanding how the UnDetermined Scope interacts with your Owned and Related Assets is a vital use of TI. Ensuring real-time and historical TI context is available greatly improves that.”
Have your TI Scope defined and agreed by the various organizations providing threat analysis, security operations and incident response. It can help drive consistent use of TI, provide a common understanding of critical assets to protect, and when threats occur provides vital understanding of the relationship between affected assets and where mitigation may be applied.
“In summary, TI Scope is a necessary and important artifact of any security organizations playbook. Focusing on a well-defined TI Scope helps avoid drinking from the fire hose.”
In the last installment of this blog series, we will introduce how a well-defined Threat Scope empowers the leveraging of Threat Intelligence that is relevant to the organization, thus providing them with a comprehensive threat assessment.